Cyber Resilience

CVE-2023-37903

CriticalRCE

Published: 21 July 2023

Published
21 July 2023
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4009 97.4th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37903 is a critical-severity OS Command Injection (CWE-78) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

vm2 is an open source sandbox for Node.js that is affected by CVE-2023-37903 in all versions through 3.9.19. The flaw resides in the handling of Node.js custom inspect functions, which can be abused to break out of the sandbox and execute arbitrary code. The issue carries a CVSS score of 9.8 and is tracked under CWE-78.

An attacker who already possesses an arbitrary code execution primitive inside a vm2 sandbox can exploit the inspect function to escape isolation and obtain remote code execution on the host. No authentication or user interaction is required, and the attack can be performed over the network.

The referenced GitHub advisory GHSA-g644-9gfx-q4q4 and associated NetApp bulletins state that no patches exist and no workarounds are known, advising users to migrate to alternative sandboxing solutions. The EPSS score has remained at 0.4009 with no material increase after disclosure.

EU & UK References

Vulnerability details

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the…

more

attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vm2 project
vm2
≤ 3.9.19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References